Skip to content

Commit

Permalink
Added patterns to prevent string values from start or ending with whi…
Browse files Browse the repository at this point in the history
…tespace. Resolves CVEProject#232
  • Loading branch information
david-waltermire committed Jun 22, 2023
1 parent 76a8bb2 commit e2641ea
Showing 1 changed file with 46 additions and 23 deletions.
69 changes: 46 additions & 23 deletions schema/v5.0/CVE_JSON_5.0_schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,8 @@
"description": "User created name for the reference, often the title of the page.",
"type": "string",
"maxLength": 512,
"minLength": 1
"minLength": 1,
"pattern": "^(?:\\S|\\S.*\\S)$"
},
"tags": {
"description": "An array of one or more tags that describe the resource referenced by 'url'.",
Expand Down Expand Up @@ -66,7 +67,8 @@
"description": "A 2-32 character name that can be used to complement an organization's UUID.",
"type": "string",
"minLength": 2,
"maxLength": 32
"maxLength": 32,
"pattern": "^(?:\\S|\\S.*\\S)$"
},
"datestamp": {
"description": "Date/time format based on RFC3339 and ISO ISO8601.",
Expand All @@ -84,7 +86,8 @@
"description": "A single version of a product, as expressed in its own version numbering scheme.",
"type": "string",
"minLength": 1,
"maxLength": 1024
"maxLength": 1024,
"pattern": "^(?:\\S|\\S.*\\S)$"
},
"status": {
"description": "The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.",
Expand Down Expand Up @@ -119,7 +122,8 @@
"type": "string",
"description": "Name of the affected product.",
"minLength": 1,
"maxLength": 2048
"maxLength": 2048,
"pattern": "^(?:\\S|\\S.*\\S)$"
},
"collectionURL": {
"description": "URL identifying a package collection (determines the meaning of packageName).",
Expand Down Expand Up @@ -204,7 +208,7 @@
"title": "CPE Name",
"type": "string",
"description":"Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format",
"pattern": "([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\\-~%]*){0,6})|(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})",
"pattern": "^([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\\-~%]*){0,6})|(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})$",
"minLength": 1,
"maxLength": 2048
}
Expand All @@ -217,7 +221,8 @@
"type": "string",
"description": "Name of the affected component, feature, module, sub-component, sub-product, API, command, utility, program, or functionality (optional).",
"minLength": 1,
"maxLength": 4096
"maxLength": 4096,
"pattern": "^(?:\\S|\\S.*\\S)$"
}
},
"programFiles": {
Expand All @@ -228,7 +233,8 @@
"description": "Name or path or location of the affected source code file.",
"type": "string",
"minLength": 1,
"maxLength": 1024
"maxLength": 1024,
"pattern": "^(?:\\S|\\S.*\\S)$"
}
},
"programRoutines": {
Expand All @@ -246,7 +252,8 @@
"type": "string",
"description": "Name of the affected source code file, function, method, subroutine, or procedure.",
"minLength": 1,
"maxLength": 4096
"maxLength": 4096,
"pattern": "^(?:\\S|\\S.*\\S)$"
}
}
}
Expand Down Expand Up @@ -310,6 +317,7 @@
"description": "The version numbering system used for specifying the range. This defines the exact semantics of the comparison (less-than) operation on versions, which is required to understand the range itself. 'Custom' indicates that the version type is unspecified and should be avoided whenever possible. It is included primarily for use in conversion of older data files.",
"minLength": 1,
"maxLength": 128,
"pattern": "^(?:\\S|\\S.*\\S)$",
"examples": [
"custom",
"git",
Expand Down Expand Up @@ -506,7 +514,8 @@
"type": "string",
"description": "A title, headline, or a brief phrase summarizing the CVE record. Eg., Buffer overflow in Example Soft.",
"minLength": 1,
"maxLength": 256
"maxLength": 256,
"pattern": "^(?:\\S|\\S.*\\S)$"
},
"descriptions": {
"$ref": "#/definitions/descriptions"
Expand Down Expand Up @@ -610,7 +619,8 @@
"type": "string",
"description": "A title, headline, or a brief phrase summarizing the information in an ADP container.",
"minLength": 1,
"maxLength": 256
"maxLength": 256,
"pattern": "^(?:\\S|\\S.*\\S)$"
},
"descriptions": {
"$ref": "#/definitions/descriptions"
Expand Down Expand Up @@ -698,6 +708,7 @@
"title": "Media type",
"minLength": 1,
"maxLength": 256,
"pattern": "^(?:\\S|\\S.*\\S)$",
"description": "RFC2046 compliant IANA Media type for eg., text/markdown, text/html.",
"examples": [
"text/markdown",
Expand All @@ -717,7 +728,8 @@
"type": "string",
"description": "Supporting media content, up to 16K. If base64 is true, this field stores base64 encoded data.",
"minLength": 1,
"maxLength": 16384
"maxLength": 16384,
"pattern": "^(?:\\S|\\S.*\\S)$"
}
},
"required": [
Expand Down Expand Up @@ -773,7 +785,8 @@
"type": "string",
"description": "Text description of problemType, or title from CWE or OWASP.",
"minLength": 1,
"maxLength": 4096
"maxLength": 4096,
"pattern": "^(?:\\S|\\S.*\\S)$"
},
"cweId": {
"type": "string",
Expand All @@ -786,7 +799,8 @@
"type": "string",
"description": "Problemtype source, text, OWASP, CWE, etc.,",
"minLength": 1,
"maxLength": 128
"maxLength": 128,
"pattern": "^(?:\\S|\\S.*\\S)$"
},
"references": {"$ref": "#/definitions/references"}
},
Expand Down Expand Up @@ -862,7 +876,8 @@
"type": "string",
"description": "Name of the scoring format. This provides a bit of future proofing. Additional properties are not prohibited, so this will support the inclusion of proprietary formats. It also provides an easy future conversion mechanism when future score formats become part of the schema. example: cvssV44, format = 'cvssV44', other = cvssV4_4 JSON object. In the future, the other properties can be converted to score properties when they become part of the schema.",
"minLength": 1,
"maxLength": 64
"maxLength": 64,
"pattern": "^(?:\\S|\\S.*\\S)$"
},
"scenarios": {
"type": "array",
Expand All @@ -878,7 +893,8 @@
"default": "GENERAL",
"description": "Description of the scenario this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.",
"minLength": 1,
"maxLength": 4096
"maxLength": 4096,
"pattern": "^(?:\\S|\\S.*\\S)$"
}
},
"required": [
Expand All @@ -902,7 +918,8 @@
"description": "Name of the non-standard impact metrics format used.",
"type": "string",
"minLength": 1,
"maxLength": 128
"maxLength": 128,
"pattern": "^(?:\\S|\\S.*\\S)$"
},
"content": {
"type": "object",
Expand Down Expand Up @@ -997,7 +1014,8 @@
"value": {
"type": "string",
"minLength": 1,
"maxLength": 4096
"maxLength": 4096,
"pattern": "^(?:\\S|\\S.*\\S)$"
},
"user": {
"description": "UUID of the user being credited if present in the CVE User Registry (optional). This UUID can be used to lookup the user record in the user registry service.",
Expand Down Expand Up @@ -1061,17 +1079,19 @@
"type": "string",
"description": "The name of the taxonomy.",
"minLength": 1,
"maxLength": 128
"maxLength": 128,
"pattern": "^(?:\\S|\\S.*\\S)$"
},
"taxonomyVersion": {
"type": "string",
"description": "The version of taxonomy the identifiers come from.",
"minLength": 1,
"maxLength": 128
"maxLength": 128,
"pattern": "^(?:\\S|\\S.*\\S)$"
},
"taxonomyRelations": {
"type": "array",
"description": "",
"description": "The taxonomy relationship type.",
"minItems": 1,
"uniqueItems": true,
"items": {
Expand All @@ -1087,19 +1107,22 @@
"type": "string",
"description": "Identifier of the item in the taxonomy. Used as the subject of the relationship.",
"minLength": 1,
"maxLength": 2048
"maxLength": 2048,
"pattern": "^(?:\\S|\\S.*\\S)$"
},
"relationshipName": {
"type": "string",
"description": "A description of the relationship.",
"minLength": 1,
"maxLength": 128
"maxLength": 128,
"pattern": "^(?:\\S|\\S.*\\S)$"
},
"relationshipValue": {
"type": "string",
"description": "The target of the relationship. Can be the CVE ID or another taxonomy identifier.",
"minLength": 1,
"maxLength": 2048
"maxLength": 2048,
"pattern": "^(?:\\S|\\S.*\\S)$"
}
}
}
Expand Down

0 comments on commit e2641ea

Please sign in to comment.